OpenVPN And DD-WRT Part 1

Wouldn’t it be great if you could use free internet and not worry if the goof ball at the next table or stranger in the hotel room next door is recording everything you do? Well, you can if you use a properly secured VPN. The term’VPN’ refers to a Virtual Private Network. Think of your internet session as being enclosed by a tunnel. Some VPNs are more secure than others. One locked down by a free program called OpenVPN is as private as you can get.

With OpenVPN, you can use a public internet connection to privately connect to your home router and flow through your home internet connection just as if you were sitting at home all along. Your internet session will be as secure as your home internet.

OpenVPN uses SSL, which is the same security method used by the most secure shopping sites. Fortunately, SSL encryption using OpenVPN is much easier to set up and use than SSL based solutions that involve web servers and knowledge of certificate servers. There’s still some busywork involved, but far far less and it’s much less complicated.

OpenVPN has two parts: the client part you install on your PC and the server part that’s pre-loaded on many devices. The server part is available on some home routers. Not many router manufacturers include it by default. You can get OpenVPN server if you install alternate firmware, such as DD-WRT and a few others, on your home router.

I’ve Read About This Before and It Looked Complicated

That’s exactly what I said until I learned how to set up and use an OpenVPN connection. The problem for me was that too many articles threw a lot of details against the wall and expected the reader to make sense of how they connected together. I also had to ignore everything I learned previously about certificate servers and certificate authorities. OpenVPN hides most of that from the user. You still have to get your hands dirty using copy and paste on a few files created by OpenVPN, but, otherwise, you don’t have to know what they are or how they work.

Long ago in school, someone said the best way to teach someone something is

Tell Them What You Are Going To Say

Say It

Tell Them What You Just Said

And that’s what I’m going to do here. First I will provide an overview. Then I will spill all the details. Finally, I will give you some charts that summarize much of what has been said. I’m going to split the full lesson into three parts. Part 1, this part, is the overview and the details about how to install OpenVPN on your PC and create all the certificates you will need. Part 2 will tell you how to configure OpenVPN server on your DD-WRT router and make the VPN connection. Part 3 is the summary.

A Funny Story. These articles were first posted in early November, 2014. OpenVPN appeared to work great. A couple of weeks later I was using public wi-fi and noticed that NO internet traffic was going out over the VPN. All traffic was out in the open. I took the three articles down for repair and then started my research into why OpenVPN via DD-WRT offered no browsing security.

The most important thing I discovered was, by default, OpenVPN via DD-WRT directs NO traffic over the encrypted connection. All still goes out over public wi-fi unless you add a few commands that are not universally included in available instructions. In addition, those that do describe the additional requirements conflict with each other. Basically, most don’t work … or at least didn’t work for me. My fix was made of several bits from several articles and a lot of trial and error. The installation documented in Parts 1,2, and 3 work well for me .. or at least as well as OpenVPN works.

The tricky parts I discovered are pointed out as you read. I also fixed a few typos that would have otherwise caused problems. I won’t point them out. Sorry about that.

The end goal is to be able to browse securely using public wi-fi by creating an encrypted connection from your laptop through your home router. The session should be as secure as your home network. You will not be able to interact with other resources on your home network. For that, you should consider OpenVPN on a NAS box, a remote desktop application such as TeamViewer, or some other encrypted tunnel.

Before I Start, Is There An Easier Way To Safely Use Public WiFi?

Why, yes there is. OpenVPN protects anything that goes out over your internet connection. A different method that uses DD-WRT and its built in SSH Server allows you to browse safely with encryption. Only programs that can use an alternate port, such as browsers, can try it. Take a look.

OK, How Do I Do Start With OpenVPN?

Before anything else, get a public internet address that leads back to your home router. During the final stage of configuration, you will have to tell OpenVPN the URL of your home router. If you’re using DD-WRT then you will need to get one from a vendor of DDNS services that DD-WRT supports on the Setup/DDNS tab. You may have to pay for it. The DDNS service will link the IP address from your ISP to a name you create.

Next, download and install a copy of OpenVPN, checking all the boxes when asked which parts you wish to install.

[Update March 9, 2015: OpenVPN client for Windows has a security vulnerability for versions prior to 2.3.6-I002/I602, called Freak. It allows an extremely motivated hacker to perform a man-in-the-middle attack. The likelihood of attack for most people is slim. To completely eliminate it, according to OpenVPN, load the most recent version of OpenVPN for Windows.]

Then you open a Command Window using Administrator level privileges and navigate to the ..\OpenVPN\easy-rsa folder. While there you will …

Open a Command prompt with Administrator privileges.

Run a batch file.

Open Notepad with Administrator privileges to edit a file that you just created in step 1. You will type standard configuration values that later batch files will read for default values.

Run a few more batch files that each create certificates or keys for various purposes. These files will be written to ..\OpenVPN\easy-rsa\keys.

Now you configure DD-WRT.

Go to the Services/VPN tab

Enable the OpenVPN server

Configure the fields as described later

Copy and paste the text from four of the OpenVPN files created earlier into big boxes that are well marked

Copy and paste some ‘additional configuration’ text and modify it as required to match your particular network

Go to the Administration/Commands tab to copy and paste some firewall text, modifying it afterward to support your network.

Reboot your router, making sure to save and apply changes first.

Finally, you configure OpenVPN on each PC that will connect remotely.

Install OpenVPN

Copy some files you just created from ..\OpenVPN\easy-rsa\keys into ..\OpenVPN\config on the PC that will connect remotely

Open Notepad with Administrator privileges to modify file client.ovpn, telling OpenVPN your URL and a few other things

Start OpenVPN with Administrator privileges. Without using Administrator level privileges, OpenVPN will connect and look like it works, but will offer no default browsing security whatsoever. (One of the tricky bits.)

Open a command window with Administrator privileges and navigate to ..\OpenVPN\easy-rsa

***

Run batch file init-config.bat

***

Edit file vars.bat using Notepad or any other text editor. This is the file of default values all subsequent batch files will use for reference. Most values may be overridden when the later batch files are run.

Many people set the key size to 2048. Users who are familiar with OpenSSL should relax a bit. OpenVPN is far less sensitive about field names than if you were using OpenSSL to set up a secure web site on your web server. No values here need to tie back to your URL. Practically any values here are fine. Avoid using spaces between words because some values in later programs will also be used for file names and it’s unclear if OpenVPN will have issues down the road in that instance.

Other than KEY_SIZE, the values to consider changing are those at the bottom, starting with set KEY_COUNTRY. Leave the others alone. Just about any value is acceptable. CN stands for Common Name. This field is important later because it MUST MATCH the parameter used when later batch files are run.

.***

This is how mine looks.

***

Run vars.bat

Run clean-all.bat

Run build-ca.bat

***

Next, build the certificate and key files that will be copied to the PC(s) that connect(s) remotely. If more than one PC will connect, you may choose to create separate file sets for each one. In the examples below, I created three file sets for three PCs.

When you invoke the batch file that creates the client files, you pass a client computer name as a parameter. This name MUST MATCH the Common Name field that is prompted for as the batch file runs. (The instructions and practice runs made it unclear if Name should also match. I also used the same value in that field.)

OpenVPN gives you a choice at this stage. You can build the client files so that they prompt for a password every time you call OpenVPN from your remote PC. This is optional. I used the names Laptop01, Laptop02, and Laptop03. You can name them anything you want. Many other articles on OpenVPN use the names Client1, Client2, and Client3.

Examples:

build-key.bat Laptop01

or

build-key-pass.bat Laptop01

Note that Laptop01 is entered as the Common Name and Name below.

The password is the first thing asked for. It will ask for confirmation. Ignore any password requests that might be prompted for toward the bottom of the file. Answer ‘Y’ to the two questions at the end asking you to sign and commit..

Follows are all three client certificate requests.

***

Next you create the server certificate. I named this one DDWRTrouter. Most other lessons use the name server. You can call it anything you want. Just like the client batch file, you pass the name of the server as a parameter AND type it into the Common Name field. Like before, I also typed it into the Name field.

Run build-key-server.bat DDWRTrouter

***

Lastly, run build-dh.bat. It takes a couple of minutes to finish.

***

When done, folder ..\OpenVPN\easy-rsa\keys will look similar to this.

***

Easy-RSA is fussy about going back a step or two if you want to change something or add another client certificate. You may have to clear everything out and start over.

Four of the files above will be copied into DD-WRT via notepad and copy and paste. The boxes they are copied into are clearly marked.

ca.crt

DDWRTrouter.crt

DDWRTrouter.key

dh2048.pem

Three files will be copied as-is (using whatever naming convention you used for the client files) to each remote client computer. (..\OpenVPN\config)

ca.crt

Laptop01.key

Laptop01.crt

Now, on to DD-WRT and OpenVPN – Part 2

Advertisements

Share this:

Like this:

7 Comments on “OpenVPN And DD-WRT Part 1”

I have to add something here (maybe needs to be added in the tutorial).
Some may have problems when they run build-ca.bat or any other bat that uses openssl.
Since i received an error that openssl is not a valid command when creating a certificate or key, i added the full path into the bat as:

This is from the newer version of OpenVPN client (2.3.8). If someone uses the newest version and encounters this problem, check that the path is in “FULL_PATH” and not without, otherwise you will receive the error:

Good God; do you folks have a life? I just don’t understand why anyone would put themselves though all of this, further endure more uncertainty, when every computer has a means to connect to a vpn, and many routers simply don’t require the DD-WRT nightmare… sheesh!

OpenVPN allows you to connect to your home router from public wi-fi. This allows both safe browsing and access to resources from home, including files and media. The only ports you need open are those associated with OpenVPN. Certificates and OpenVPN keep them secure. Once you’re connected, you are on the home network. No additional ports need to be opened or forwarded. On my router, a pfSense J1900 oriented home built device, I have 3 simultaneous OpenVPN servers, two tun and one tap. While I only need one server, the others were for hobby purposes. Eventually I’ll delete them.

Commercial VPNs are fine. I use them to be anonymous and to watch British TV on occasion. Occasionally, public wi-fi blocks OpenVPN on all ports and the commercial VPN manages to still get through. OpenVPN is free. The commercial VPNs are generally not free.

Agree that DD-WRT forces you to work pretty hard to build an OpenVPN server. Other devices are less difficult. pfSense allows someone with experience to create all certificates and specific user profiles and a server in a few minutes. However, people use what they have. Other software routers are similar although pfSense is the only one I know of that allows multiple servers. I used DD-WRT OpenVPN for a couple of years and was satisfied with it. pfSense provides more granular security with user profiles, and better overall security using pfBlockerNG and Snort, but I could still be happy with DD-WRT. If you own a DD-WRT router, then a DD-WRT OpenVPN server makes perfect sense.

Hint – if you are considering pfSense, beware a j1900 oriented router will not work in a few years. They will require processors with AES-NI by version 2.5, which will be out in maybe 2 or 3 years.

Craig, there is a point you are missing. Everything you do port forwarding for on any router is open to attack. So, for example, if I decide to port forward the IPMI interface on my server because I want to be able to login to the server from anywhere then there is a good chance that hacking attempts are made on my server. It is much safer to not open DVR cameras, servers (media interfaces), etc to the world and instead VPN from your remote computer and access it just as if you were sitting at that location physically. VPN’s aren’t just for anonymity.

Three things. One is that you’ll need to replace “proto tcp” with “proto tcp4-server” in the additional options if you have IPv6 turned off like I did. This is because newer versions of OpenVPN default to IPv6 and if it’s turned off on your DD-WRT router (or any router) then it won’t work. Two, “ns-cert-type server” is deprecated so you will get a warning. Finally, if after doing all this you get connected and it routes LAN traffic but won’t route WAN traffic while connected then check your Firewall setup. The first time when I copied from the tutorial and pasted a few dashed were ascii encoded. Fix them and it routes perfectly.

I went through the steps and I could not make a connection. After some reading on the DD-WRT site I had to enable sshd and log into my router. I found out that my router config file had embedded the Ctrl-M character at the end of each line. I had to remove the lines from the router config on the web page and use vi to reenter the commands. Once the config file was cleaned up, everything worked as it should. I want to add that everything else in these steps worked and I really appreciate the help you provided.